Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

The slides indicate that the NSA is monitoring the Google’s PREF cookie. The NSA is reportedly utilizing an analytics tool called HAPPYFOOT that aggregates leaked location data, in this case the PREF cookie. It is unclear exactly how the NSA’s HAPPYFOOT tool acquires these PREF cookies, though the slides seem to suggest that the spy agency may be exploiting a data leak vulnerability of some sort. However, the Washington Post reports that the NSA may be acquiring these cookies with Foreign Intelligence Surveillance Act court orders.

The slides also reveal that the NSA has partnered with National Geospatial-Intelligence Agency, and the Washington Post reports that the two groups are using these PREF cookies to determine the locations of surveillance targets in order for the NSA to perform remote spying operations.

Cookies are small pieces of data that companies send from their websites and install on the browsers’ of the individuals visiting their websites. When a user revisits one of these sites, that user’s browser sends the cookie back, and the server handling the site then recognizes the browser of the user.

A Wall Street Journal article from February 2012 examined the discovery of the PREF cookie by a man named Stephen Frankel. Frankel’s case was particularly odd because he observed the cookie present in his Safari browser despite the fact that he had blocked all tracking cookies and – even odder yet – had not visited any sites in his Safari browser.

Wall Street Journal technological consultant, Ashkan Soltani, noted that the cookie – despite not being an advertising cookie – contains a unique identification number and can not be disabled without disabling Google’s phishing and malware protection feature. Basically what is happening, Soltani explained, is that other browsers are periodically pinging Google for updated lists of dangerous sites. In turn, Google responds by installing this PREF cookie on user machines. This is how the cookie ended up in Frankel’s unused Safari browser.

Of course, the PREF cookie serves another purpose as well, and this other purpose seems to be that which the NSA is exploiting. On a Google policies and principles page that had to be translated from Spanish, the company notes that the PREF cookie gives Google the ability to determine user locations so that Web-content is displayed in the user’s preferred language. Per Google’s explanation, the cookie also grants location data to certain sites that want to display location-sensitive content like local news, traffic, and weather reports.

The PREF cookie may appeal to the NSA because of these characteristics. Namely that it seems to be innocuous if not beneficial, that it works when all other cookies are blocked, is present even on unused browsers, and also has the capacity to collect location data.

In general, cookies are widely used by advertising and Web firms to uniquely identify and track users online. The privacy conscious and digital rights advocates have expressed concern about cookies and online tracking for years, while the companies that use cookies have generally defended their actions by claiming that tracking data help consumers by better targeting advertisements to them creating a better user-experience online.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.